missing bits of "splice: fix racy pipe->buffers uses"

that commit has fixed only the parts of that mess in fs/splice.c itself;
there had been more in several other ->splice_read() instances...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

diff --git a/kernel/relay.c b/kernel/relay.c
index 98833f664fb6853f5bbb3194fb4c465833869624..7d38607649a3298f4a84efcd12208e43acd4b5fc 100644 (file)
--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -1251,7 +1251,7 @@ static ssize_t subbuf_splice_actor(struct file *in,
        subbuf_pages = rbuf->chan->alloc_size >> PAGE_SHIFT;
        pidx = (read_start / PAGE_SIZE) % subbuf_pages;
        poff = read_start & ~PAGE_MASK;
        subbuf_pages = rbuf->chan->alloc_size >> PAGE_SHIFT;
        pidx = (read_start / PAGE_SIZE) % subbuf_pages;
        poff = read_start & ~PAGE_MASK;

-       nr_pages = min_t(unsigned int, subbuf_pages, pipe->buffers);
+       nr_pages = min_t(unsigned int, subbuf_pages, spd.nr_pages_max);

 
        for (total_len = 0; spd.nr_pages < nr_pages; spd.nr_pages++) {
                unsigned int this_len, this_end, private;
 
        for (total_len = 0; spd.nr_pages < nr_pages; spd.nr_pages++) {
                unsigned int this_len, this_end, private;

diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 7511de35257fadb42b8e846a2f2b7ffdeefd7faa..27924caaa124397754854385c635d5c374006269 100644 (file)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -4410,7 +4410,7 @@ static ssize_t tracing_splice_read_pipe(struct file *filp,
        trace_access_lock(iter->cpu_file);
 
        /* Fill as many pages as possible. */
        trace_access_lock(iter->cpu_file);
 
        /* Fill as many pages as possible. */

-       for (i = 0, rem = len; i < pipe->buffers && rem; i++) {
+       for (i = 0, rem = len; i < spd.nr_pages_max && rem; i++) {

                spd.pages[i] = alloc_page(GFP_KERNEL);
                if (!spd.pages[i])
                        break;
                spd.pages[i] = alloc_page(GFP_KERNEL);
                if (!spd.pages[i])
                        break;


@@ -5267,7 +5267,7 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos,
        trace_access_lock(iter->cpu_file);
        entries = ring_buffer_entries_cpu(iter->trace_buffer->buffer, iter->cpu_file);
 
        trace_access_lock(iter->cpu_file);
        entries = ring_buffer_entries_cpu(iter->trace_buffer->buffer, iter->cpu_file);
 

-       for (i = 0; i < pipe->buffers && len && entries; i++, len -= PAGE_SIZE) {
+       for (i = 0; i < spd.nr_pages_max && len && entries; i++, len -= PAGE_SIZE) {

                struct page *page;
                int r;
 
                struct page *page;
                int r;
 

diff --git a/mm/shmem.c b/mm/shmem.c
index 17d3799d04bdbead0215968710e943cfec437977..37400a148f29e5bf99611ecdf8dbed44212248fd 100644 (file)
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1613,7 +1613,7 @@ static ssize_t shmem_file_splice_read(struct file *in, loff_t *ppos,
        index = *ppos >> PAGE_CACHE_SHIFT;
        loff = *ppos & ~PAGE_CACHE_MASK;
        req_pages = (len + loff + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
        index = *ppos >> PAGE_CACHE_SHIFT;
        loff = *ppos & ~PAGE_CACHE_MASK;
        req_pages = (len + loff + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;

-       nr_pages = min(req_pages, pipe->buffers);
+       nr_pages = min(req_pages, spd.nr_pages_max);

 
        spd.nr_pages = find_get_pages_contig(mapping, index,
                                                nr_pages, spd.pages);
 
        spd.nr_pages = find_get_pages_contig(mapping, index,
                                                nr_pages, spd.pages);